RIA SECURITY TECHNOLOGY

Similar documents

Shane Hartman CISSP, GCIA, GREM Suncoast Security Society

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

2015 TRUSTWAVE GLOBAL SECURITY REPORT

New Tool for Discovering Flash Player 0-day Attacks in the. Wild from Various Channels

IBM Protocol Analysis Module

Cross-Site Scripting

Endpoint Business Products Testing Report. Performed by AV-Test GmbH

Understanding Web Application Security Issues

EyjafjallajöKull Framework (aka: Exploit Kits Krawler Framework)

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Analyzing and Detecting Malicious Flash Advertisements

The Top Web Application Attacks: Are you vulnerable?

Botnet-Powered SQL Injection Attacks A Deeper Look Within (VB, Sep. 2009) David Maciejak Guillaume Lovet

White Paper. No Signature Required: The Power of Emulation in Preventing Malware

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

AJAX Storage: A Look at Flash Cookies and Internet Explorer Persistence

Optimized Mal-Ops Hack ad networks like a boss

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

FortiWeb 5.0, Web Application Firewall Course #251

Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs AN IN-DEPTH ANALYSIS

The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

April 11, (Revision 2)

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Exploring the Black Hole Exploit Kit

Cyan Networks Secure Web vs. Websense Security Gateway Battle card

Adobe Systems Incorporated

Anti-exploit tools: The next wave of enterprise security

A Perfect CRIME? TIME Will Tell. Tal Be ery, Web research TL

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Covert Operations: Kill Chain Actions using Security Analytics

Metasploit The Elixir of Network Security

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

SPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015

The Prevalence of Flash Vulnerabilities on the Web

Current Threats and Open Document Formats

MRG Effitas Real World Enterprise Security Exploit Prevention March Real World Enterprise Security Exploit Prevention Test.

MRG Effitas Real World Enterprise Security Exploit Prevention March Real World Enterprise Security Exploit Prevention Test.

Fighting Advanced Threats

Web Application Worms & Browser Insecurity

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Honeypots & Honeynets Overview. Adli Wahid Security Specialist, APNIC.net adli@apnic.net

Intrusion detection for web applications

Introduction to Computer Security

Introducing IBM s Advanced Threat Protection Platform

Cryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software

Polyglots: Crossing Origins by Crossing Formats

SANS Dshield Webhoneypot Project. OWASP November 13th, The OWASP Foundation Jason Lam

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Networking for Caribbean Development

Why The Security You Bought Yesterday, Won t Save You Today

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

CS 558 Internet Systems and Technologies

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Check list for web developers

CVE Adobe Flash Player Integer Overflow Vulnerability Analysis

Thexyz Premium Webmail

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

N J C C I C NJ CYBERSECURITY AND COMMUNICATIONS INTEGRATION CELL

Web-Application Security

Barracuda Intrusion Detection and Prevention System

Enterprise Application Security Workshop Series

WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security

WebCruiser Web Vulnerability Scanner User Guide

WordPress Security Scan Configuration

Malicious Network Traffic Analysis

What Do You Mean My Cloud Data Isn t Secure?

Computer Security DD2395

Network Security - ISA 656 Review

elearning for Secure Application Development

Malicious Mitigation Strategy Guide

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Introduction: 1. Daily 360 Website Scanning for Malware

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Penetration Testing with Kali Linux

User Documentation Web Traffic Security. University of Stavanger

Web Application Vulnerability Testing with Nessus

Modular Network Security. Tyler Carter, McAfee Network Security

WildFire Overview. WildFire Administrator s Guide 1. Copyright Palo Alto Networks

Five Tips to Reduce Risk From Modern Web Threats

WildFire Cloud File Analysis

Transcription:

RIA SECURITY TECHNOLOGY Ulysses Wang Security Researcher, Websense Hermes Li Security Researcher, Websense 2009 Websense, Inc. All rights reserved.

Agenda RIA Introduction Flash Security Attack Vectors Threats In the Wild Detection PDF Security Attack Vectors Threats In the Wild Detection Conclusion Q&A 2009 Websense, Inc. All rights reserved. 2

RIA Introduction 3

Rich Internet Application Key Characteristics Deliver rich user experience Based on Internet Highly interactive 4

RIA Plugins Adobe Flash, Java and Microsoft Silverlight 5

Adobe Vulnerability 6

Attack Vectors 7

Flash Exploit 25 Flash Player Related Vulnerability 20 15 10 5 0 2001 2002 2003 2004 2005 2006 2007 2008 2009 8

Flash Exploit (cont.) 34 million swf application are vulnerable according to Websecurity 2009.12 Flash Exploit In the Wild CVE-2007-0071 CVE-2009-1862 CVE-2010-1297 9

Flash XSS Renren.com flash XSS worm 10

Flash Malvertizement Yahoo,CNN,New York Times Ad bars for products Download Rogue AV 11

Threats In the Wild 12

CVE-2007-0071 (version 1) CVE-2007-0071 May 2008 13

CVE-2007-0071 (version 2) CVE-2007-0071 Wrapped with Actionscript3 14

CVE-2007-0071 (version 2) CVE-2007-0071 Wrapped with Actionscript3 April 2009 15

CVE-2007-0071 (version 3) Wrapped with Actionscript3 and store the encrypted data in the Javascript code Phoenix exploit kit 16

CVE-2007-0071 (version 3) Phoenix exploit kit payload page flash 1. Payload page call embedded flash file 2. Flash call payload page for encrypted data 3. Payload page detect version and return encrypted data 4. Flash decode data and run cve-2007-0071 file 17

Future Trends Most dangerous is vulnerability to execute code More AS obfuscation like Javascript obfuscation Combined with Javascript more closely 18

Detection 19

Module Signature scanner Exploit scanner Actionscript scanner Scanner Honeyclient scanner 20

Signature Scanner Parse SWF format Signature base detection 21

Exploit Scanner Check DefineSceneAndFrameLabelData shellcode detection 22

Actionscript Scanner Detect suspicious Actionscript Loader.loadBytes parseint, charcodeat Too many push action Based on Websense URL database Suspicious Tag File size and Tag count 23

Honeyclient Scanner Honeyclient detection Log http traffic Monitor files, registry key values, and processes 24

PDF Security 25

PDF Security Trend PDF's CVE records 90 80 70 60 50 40 30 20 10 0 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Why Malware Use PDF Portable Document Format = Easy + Quick Support all platform Can email around Can work offline $ Support embedded RIA

PDF Frame %PDF-1.3 1 0 obj <</Type /Pages /Kids [3 0 R ] /Count 1 /MediaBox [0 0 595.28 841.89] >> endobj xref 0 10 0000000000 65535 f 0000000550 00000 n 0000000733 00000 n 0000000009 00000 n 0000000087 00000 n trailer << /Size 10 /Root 9 0 R /Info 8 0 R >> startxref 8983 %%EOF File Header Objects Cross-Reference Table Trailer

Filters Used in Malicious PDF ASCIIHexDecode Filter Hex encode start with # Sample: /Filter /#46#6c#61#74#65#44#65#63#6f#64#65 (FlateDecode) FlateDecode Filters Compressed stream Use zlib Crypt Filter /Filter /Standard

Encrypted PDF 14 0 obj <</R 3 Indirect Objects /P -3904 /O (6E 訚 u;?\( 鎓 Zん5?? 婼 h 撱臂 \\W? /Filter /Standard /Length 128 Crypt Filter /V 2 /U (\r 覑 u 屴 p 袶 U 癨 r 渿 [????????????????) >> trailer <</Encrypt 14 0 R /Info 15 0 R Name Filter /Root 1 0 R /Size 16 /ID [<3249d6fe1386f4984c3df5d288c0bb49><3249d6fe1386f4984c3df5d288c0bb49>] >>

POC Demo Exploit User-Lure

How Malicious PDF Spread? SQL Injection SPAM Botnet Zbot etc. Exploit Kit

Attack Time Line Mass Injections Trigger Exploit Install Clients Spread to Others Spam Emails Src=http://ip/pdf.js Goto http://xxx.com virus.pdf virus.swf Shellcode Infostealer.exe botclient.exe smtphost.dll other.dll Spam IMs Spams Inject Hosts Hxxp://ip/trojan.exe 2009 Websense, Inc. All rights reserved. 35

Weak of AV /Filter /#46#6c#61#74#65#44#65#63#6f#64#65 >> Stream x 趠?n? 噍 ю\??y? N 缮茄 χhs 豛?? Embeded a bad pdf into a good pdf AV signatures Threat categories

Examples 2009 Websense, Inc. All rights reserved. 37

How to Detect + + + Rules Signatures Heuristics Application Behaviors JBIG2Decode FlateDecode ASCIIHEX ASCII85 Decode Input Decrypt Deobfuscate Scan Output Javascript RC4 MD5 Unescape Eval Regex

Malicious Content Stripping Web Security Gateway Active Security Module Content Gateway Module Email security Module Remove malicious Script, ActiveX etc. and display safe content

Other Solutions Server Side Display Virual client / Sandbox

Portable RIA

PDF Portfolio

PDF Portfolio Scan Embedded Files Stripping Pictures Portfolio Multimedia Documents

THANKS June 2010